Active Topics
|
2010-09-18
, 23:02
|
|
Posts: 1,341 |
Thanked: 708 times |
Joined on Feb 2010
|
#3
|
maemo5 is very vulnarable to MITM attacks because even serious developers just download deb packages and install them with dpkg -i. This way installing the authenticity of the package is not checked in any way, it can be anything if there is a MITM attack.
Once a Thompson's Trojan Horse type of attack has been succesfully made to some developer's system, the crack and the back door can propagate through whole Linux-community.
This is the long known weakness in deb-package-based system.
There is a fix for having embedded signatures in deb-packages, but practically noone is using it.
In rpm-system, the packages themselves have GPG signatures embedded.
So whether you install them by first transfering the package via ubstick, ftp, wget, bluetooth, *, the signature comes along always and is checked when package is installed with rpm-program or by yum, zypper or whatever package manager Meego will have. (Ok, there can be RPM packages w/o signatures but one have to force rpm to install this kind of package if the rpm settings are correctly set in the first place.)
I've been told the above reason is not why they chose RPM in Meego, nor the fact RPM is preferred by LSB, but for me it is an important plus and improvement. Also RPM-package system has transaction-support, which comes handy if system is cold rebooted suddenly in the middle of package installation for example battery has drained out.
Yes, I hope Meego will have SELinux also, or at least AppArmor (not as good but simplier).
Once a Thompson's Trojan Horse type of attack has been succesfully made to some developer's system, the crack and the back door can propagate through whole Linux-community.
This is the long known weakness in deb-package-based system.
There is a fix for having embedded signatures in deb-packages, but practically noone is using it.
In rpm-system, the packages themselves have GPG signatures embedded.
So whether you install them by first transfering the package via ubstick, ftp, wget, bluetooth, *, the signature comes along always and is checked when package is installed with rpm-program or by yum, zypper or whatever package manager Meego will have. (Ok, there can be RPM packages w/o signatures but one have to force rpm to install this kind of package if the rpm settings are correctly set in the first place.)
I've been told the above reason is not why they chose RPM in Meego, nor the fact RPM is preferred by LSB, but for me it is an important plus and improvement. Also RPM-package system has transaction-support, which comes handy if system is cold rebooted suddenly in the middle of package installation for example battery has drained out.
Yes, I hope Meego will have SELinux also, or at least AppArmor (not as good but simplier).
| The Following User Says Thank You to zimon For This Useful Post: | ||
|
|
2010-09-19
, 12:14
|
|
Posts: 23 |
Thanked: 12 times |
Joined on Jan 2010
|
#4
|
Originally Posted by ScottishDuck
Oh hello, a straw-man argument... Never did I say anything even remotely close to wanting "flawless security".
If you want a computing experience that has flawless security. Turn the power off.
And you were even thanked for that useless post. Wow, well done m0da.
@zimon
Thanks for reminding me of AppArmor, I'd totally forgot!
It seems to me something as simple as apparmor would be the best way to go. With a new QT GUI that is as easy and intuitive as possible of course
On systems that had SELinux I just end up setting the policy to permissive (BAD BAD BAD, I know...)
Doesn't android have something like apparmor already? or did it only have a message that states what information the app will have access to?
(Never used android)
I'm convinced apparmor or vserver NEED to be implemented for meego to have a semblance of security.
vserver can run software inside "virtual units" (jails) each with their own security contexts. AppArmor might be easier to get working
Last edited by tentpole; 2010-09-19 at 12:18.
|
|
2010-09-19
, 12:32
|
|
Posts: 724 |
Thanked: 1,255 times |
Joined on Nov 2007
@ Cambridge, UK
|
#5
|
I was under the impression Nokia have been cooking up their own GNU/Linux security module. Though I'm not sure if this will be used in MeeGo, I think it was certainly their intention to have it in the Harmattan device. Though I could be way off here ...
| The Following User Says Thank You to tswindell For This Useful Post: | ||
|
|
2010-09-19
, 13:12
|
|
Posts: 23 |
Thanked: 12 times |
Joined on Jan 2010
|
#6
|
Originally Posted by tswindell
Is that perhaps the DRM system they were going to (and probably will) put in MeeGo? That'll be more as an anti-piracy move on their part, to get more of the big-time developers to release stuff for MeeGo. It won't protect against someone uploading a backdoor named "really funny fart app" and owning a ton of devices and everything in them (theres a lot of sensitive information in these devices nowadays..).
I was under the impression Nokia have been cooking up their own GNU/Linux security module. Though I'm not sure if this will be used in MeeGo, I think it was certainly their intention to have it in the Harmattan device. Though I could be way off here ...
 |
|
2010-09-19
, 13:20
|
|
Posts: 3,397 |
Thanked: 1,212 times |
Joined on Jul 2008
@ Netherlands
|
#7
|
Originally Posted by tentpole
Yep, see http://wiki.maemo.org/Maemo_security
Is that perhaps the DRM system they were going to (and probably will) put in MeeGo? That'll be more as an anti-piracy move on their part, to get more of the big-time developers to release stuff for MeeGo.
It won't protect against someone uploading a backdoor named "really funny fart app" and owning a ton of devices and everything in them (theres a lot of sensitive information in these devices nowadays..).
UNIX doesn't handle this well though. To prevent this you'd need capability-based security (like Symbian has), or force applications to run in their own VM (sandboxing; which boils down to the same as capability-based security).
Originally Posted by zimon
We usually include checksums of .deb packages in the Debian world, just like the BSD world does with their .tgz Ports.
maemo5 is very vulnarable to MITM attacks because even serious developers just download deb packages and install them with dpkg -i. This way installing the authenticity of the package is not checked in any way, it can be anything if there is a MITM attack.
Once a Thompson's Trojan Horse type of attack has been succesfully made to some developer's system, the crack and the back door can propagate through whole Linux-community.
This is the long known weakness in deb-package-based system.
There is a fix for having embedded signatures in deb-packages, but practically noone is using it.
In rpm-system, the packages themselves have GPG signatures embedded.
So whether you install them by first transfering the package via ubstick, ftp, wget, bluetooth, *, the signature comes along always and is checked when package is installed with rpm-program or by yum, zypper or whatever package manager Meego will have. (Ok, there can be RPM packages w/o signatures but one have to force rpm to install this kind of package if the rpm settings are correctly set in the first place.)
I've been told the above reason is not why they chose RPM in Meego, nor the fact RPM is preferred by LSB, but for me it is an important plus and improvement. Also RPM-package system has transaction-support, which comes handy if system is cold rebooted suddenly in the middle of package installation for example battery has drained out.
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
Last edited by allnameswereout; 2010-09-19 at 13:34.
| The Following User Says Thank You to allnameswereout For This Useful Post: | ||
|
|
2010-09-19
, 14:01
|
|
Posts: 23 |
Thanked: 12 times |
Joined on Jan 2010
|
#8
|
Thanks for the link allnameswereout, there are slides on there and stuff!
Most people will probably stay in closed mode which seems pretty good security-wise if only downloading stuff from Ovi.
Now theres just the issue of browser or e-mail or other client exploits
As we have seen with all the iphone jailbreaking, they are basically exploiting the browser or some client, so it is safe to assume there will be the same issues with MeeGo/Harmattan.
I liked aegis manifest file for declaring what you are going to use in your app (that info could come up as a popup and warn the user about the capabilities the app will have if they choose to continue installation)
Oh and the protected storage.. hopefully email, sms and mms will be in protected storage (but that would make that data inaccessable in open mode though)
As you said allnameswereout theres still a big need for sandboxing or better/simpler ACLs (capability-based like apparmor) for each app (based on the aegis manifest perhaps?)
Most people will probably stay in closed mode which seems pretty good security-wise if only downloading stuff from Ovi.
Now theres just the issue of browser or e-mail or other client exploits
As we have seen with all the iphone jailbreaking, they are basically exploiting the browser or some client, so it is safe to assume there will be the same issues with MeeGo/Harmattan.
I liked aegis manifest file for declaring what you are going to use in your app (that info could come up as a popup and warn the user about the capabilities the app will have if they choose to continue installation)
Oh and the protected storage.. hopefully email, sms and mms will be in protected storage (but that would make that data inaccessable in open mode though)
As you said allnameswereout theres still a big need for sandboxing or better/simpler ACLs (capability-based like apparmor) for each app (based on the aegis manifest perhaps?)
|
|
2010-09-19
, 14:22
|
|
Posts: 1,341 |
Thanked: 708 times |
Joined on Feb 2010
|
#9
|
Originally Posted by allnameswereout
Not going to go into an another debrpm-debate, but have to point out checksumming without cryptographic signature is pointless in the MITM attack. GPG-authencity checking without public key verifying against some web-of-trust is also almost pointless in a MITM attack.
We usually include checksums of .deb packages in the Debian world, just like the BSD world does with their .tgz Ports.
APT does have a GPG backend to authenticate repositories. If you then download from e.g. HTTPS you are secure against MITM attacks on network layer, and package layer (provided the certificates are checked). It is still possible for hostile code to be inside a package no matter if it is a .deb or .rpm.
Using HTTPS is not always good enough protection against MITM-attack, and we know everyone is just wget'ing, ftp'ing, bluetooth-OBEX'ing and USB-stick'ing deb packages to their machines and installing with 'dpkg -i' without retrieving and getting the GPG-signature. Having GPG-signature embedded in the software package and automatically enforcing to check against them (using keyrings) protects at least on some level us (all) lazy people.
With GPG-signatures, we at least know who we maybe are able to blame when the **** hits the fan.
| The Following User Says Thank You to zimon For This Useful Post: | ||
|
|
2010-09-19
, 16:39
|
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#10
|
Originally Posted by allnameswereout
Linux does have POSIX capabilities, it's just that nobody uses them.
UNIX doesn't handle this well though. To prevent this you'd need capability-based security (like Symbian has)
| The Following User Says Thank You to lma For This Useful Post: | ||
http://www.reuters.com/article/idUSTRE66T52O20100730
And the paper itself:
https://www.defcon.org/images/defcon...Rootkit-WP.pdf
Is there going to be any preventative measures against this sort of thing for MeeGo?
SELinux or perhaps having the apps run in a sandbox/chroot?
Chroot can be escaped, there are exploits which bypass SELinux restrictions and sandboxes may also
be "broken" (i.e. jailbreaking) but thats better than nothing.
Just assuming no one will bother because its ARM didn't help android much.
I've not seen much talk about security, which is bad, so I thought I'd get people at least talking about it.
(maybe I should have written a more trollish thread for more responses, APPEL ISO4 IZ BETTAR THEN MEGOO!)
p.s. I assume apps will only run with user permissions, like maemo. Thats good but not enough.